A Risk-Based Approach to Deviation Management

A well-designed and implemented deviation management system offers a mechanism for obtaining critical quality data in a timely manner to enable quick response to failures, early warning of potential failures, and redeployment of resources to problematic areas. This article presents the key features of deviation management that can lead to early detection and resolution of problems and uncover gaps and weaknesses at a system's level that can help prevent potential problems in the future.

(PacificGMP)

Each year, the US Food and Drug Administration issues multiple warning letters to establishments citing failures in managing deviations, for example, failure to thoroughly investigate unexplained discrepancies or products that did not meet specifications; failure to determine the scope of a deviation; failure to verify that corrective actions were effective; or failure to recognize, report, investigate, and correct serious discrepancies and deviations later discovered by the FDA during inspections.1,2 Warning letters arise from inspection observations that are not satisfactorily resolved in a timely manner. In 2004 and 2005, "failure to thoroughly review any unexplained discrepancy" was among the 20 most common inspection observations and "failure to perform a proper investigation" was among the 10 most common observations in 2006 and 2007.3–5

Failure to understand and control process deviations exposes organizations to adverse regulatory action and financial loss, and compromises the organization's brand.

A well-designed and implemented deviation management (DM) system offers a mechanism for obtaining critical quality data in a timely manner to enable quick response to failures, early warning of potential failures, and redeployment of resources to problematic areas. It is one of the most valuable tools available to management to help maintain a state of control. To be successful, the DM process must work for the organization rather than the organization working for the system. It must be designed to perform at the correct level to meet the organization's needs and to deliver optimal results. This requires incorporating risk-management principles, prioritization, and an understanding of conflicting interests among the consumer, regulatory agencies, and the business.

This article presents the key features of DM, which if incorporated into working policies and procedures, will not only lead to early detection and resolution of problems but also will uncover gaps and weaknesses at a system's level that will help prevent potential problems. The result will eliminate redundancies in processes for investigating nonconformances; promote comprehensive and permanent solutions; strengthen management's oversight capability; reduce the probability of product recall; and enhance the company's bottom line.

DISCOVERY AND REPORTING OF DEVIATIONS

In this article, the term deviation encompasses events often referred to as nonconformances, errors, discrepancies, failures, or problems and is defined as unexpected or unplanned departures from current good manufacturing practices (cGMPs), regulations, standards, procedures, or specifications that may affect product safety, quality, identity potency, or purity.

The point of entry into the DM system is the discovery and documentation of a deviation on a standard report form (including automated reporting systems). Other systems can feed into the DM process at this point, e.g., discrepancies and nonconformances discovered during equipment calibration, stability testing, complaints management, production, labeling, validation, and so on. Integrating systems in this way eliminates the need for redundant processes such as investigation and corrective action planning and ensures all deviations, regardless of the system in which they occur, are handled in a consistent manner and generate trending data based on the same parameters.

A deviation should be documented with a description that is clear and concise and briefly states the who, what, where, and when information. Extraneous information that confuses the investigator and does not add value to the description of the problem should be avoided.

A good example of a deviation description is: "On Friday Feb 3, 2008, during the manufacturing of drug ABC, in room B-2 the technician failed to take the hourly in-process sample at 4 pm as per SOP 1234."

Compare the above example with the following deviation description that leaves the reader confused about the event reported: "Cycle count from machine hours 4:20 to 9:36 is not correct. The 24-hour inspection not performed. Cycle count from bin 9 to 11 is not possible." It is difficult to tell from this statement what the actual problem is or why the cycle count is not correct, how this is known, or who discovered the problem and when.

At the point of discovery, a knowledgeable subject matter expert should evaluate and assess the risk associated with the event. Risk is commonly defined as the combination of the probability of occurrence of harm and the severity of that harm. Deviations range in degree of criticality or potential risk; many are minor and can be corrected on the spot while others present a higher safety risk and require more work. Therefore, deviations must be handled in a manner that is commensurate with the level of risk. Higher risk deviations, that are a risk to the customer, (i.e., health or safety), risk to the business (e.g., loss of product or production), and regulatory risk (e.g., warning letters, recalls) may require immediate or containment actions to stop the deviation from continuing, to contain the damage or to gain control of all potentially affected products.